DCM4CHEE 5.22.1 instructions for setting up DICOM TLS / client certificates

Antoni Regeling

unread,

Jun 8, 2020, 3:09:09 PM6/8/20

to dcm4che

Hello

Can someone give me up-to-date instructions for setting up DICOM TLS, including instructions for configuring client certificates for a specific AE?

I do have a DICOM endpoint (SCU/SCP) - AE configured that uses TLS and that works but only if that SCP uses the IHE dcm4chee (named PACS_J4C) certificate that is used by dcm4chee itself, as the server certificate, I'm guessing that is because dcm4chee uses that as the default client certificate?

We want to use different server certificates on that DICOM SCP but I don't know how to change the dcm4chee configuration such that it uses the correct client certificate when connecting to that SCP.

I've read Gunter's 'TLS Handshake Tests' article but the instructions in there for setting up TLS are not applicable for the 5.22 version of DCM4CHEE, I think.

Thanks

Ton

Antoni Regeling

unread,

Jun 12, 2020, 2:33:52 PM6/12/20

to dcm4che

No one can help?

The conformance statement says this:

The private key and the Certificate used by an instance of dcm4che DICOM Archive 5 to identify itself in the TLS negotiation with remote applications has to be

provided in a local keystore file in PKCS12 or JKS (Java Key Store) format on the application host. Certficates of Certificate Authorities (CA) to validate Certificates

received from remote applications during the TLS negotiation can also be provided in a local keystore file in JKS format or at the central LDAP server, used as

configuration backend for all instances of dcm4che DICOM Archive 5.

so I know it can be done.

I just need to know which keystore files to use: should they be in the $WIDFLY_HOME/standalone/configuration/keystores/key.jks and cacerts.jks keystores or in separate keystores, and what configuration is needed such the system know what certificates (or keystores) to use? Or is the latter not depending on configuration but on naming conventions, like the certificate alias must match the device name or something like that?

Thanks!

Gunter Zeilinger

unread,

Jun 13, 2020, 5:43:47 AM6/13/20

to dcm...@googlegroups.com

With the dockerized version you may specify Environment Variables:

KEYSTORE

Path to keystore file with private key and certificate for HTTPS (optional, default is /opt/wildfly/standalone/configuration/keystore/key.jks, with sample key + certificate:

Subject    - CN=PACS_J4C,O=J4CARE,C=AT
Issuer     - CN=IHE Europe CA, O=IHE Europe, C=FR
Valid From - Sun Apr 02 06:38:46 UTC 2017
Valid To   - Fri Apr 02 06:38:46 UTC 2027
MD5 : 7a:b3:f7:5d:cf:6e:84:34:be:5a:7a:12:95:fa:46:76
SHA1 : a9:36:b3:b4:60:63:22:9e:f4:ae:41:d3:3b:97:ca:be:9b:a9:32:e9

provided by the docker image only for testing purpose).
KEYSTORE_PASSWORD

Password used to protect the integrity of the keystore specified by KEYSTORE (optional, default is secret).
KEYSTORE_PASSWORD_FILE

Password used to protect the integrity of the keystore specified by KEYSTORE via file input (alternative to KEYSTORE_PASSWORD).
KEY_PASSWORD

Password used to protect the private key in the keystore specified by KEYSTORE (optional, default is value of KEYSTORE_PASSWORD).
KEY_PASSWORD_FILE

Password used to protect the private key in the keystore specified by KEYSTORE via file input (alternative to KEY_PASSWORD).
KEYSTORE_TYPE

Type (JKS or PKCS12) of the keystore specified by KEYSTORE (optional, default is JKS).
TRUSTSTORE

Path to keystore file with trusted certificates for HTTPS (optional, default is /opt/wildfly/standalone/configuration/keystore/cacerts.jks, with sample CA certificate:

Subject    - CN=IHE Europe CA,O=IHE Europe,C=FR
Issuer     - CN=IHE Europe CA, O=IHE Europe, C=FR
Valid From - Fri Sep 28 11:19:29 UTC 2012
Valid To   - Wed Sep 28 11:19:29 UTC 2022
MD5 : 64:b6:1b:0f:8d:84:17:da:23:e4:e5:1c:56:ba:06:5d
SHA1 : 54:e0:10:c6:4a:fe:2c:aa:20:3f:50:95:45:82:cb:53:55:6b:07:7f

provided by the docker image only for testing purpose).
TRUSTSTORE_PASSWORD

Password used to protect the integrity of the keystore specified by TRUSTSTORE (optional, default is secret).
TRUSTSTORE_PASSWORD_FILE

Password used to protect the integrity of the keystore specified by TRUSTSTORE via file input (alternative to TRUSTSTORE_PASSWORD).

Sent with ProtonMail Secure Email.

You may also just replace configuration/keystore/cacerts.jks and configuration/keystore/key.jks in mapped out

-v /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/2694acb8-9f70-499e-88f1-f33695554e6bo%40googlegroups.com.

Reply all

Reply to author

Forward